Two-Factor Authentication: What Happens When You Lose Your Phone?

Plenty of people have been checking out our guide to services that support two-factor authentication. That's excellent from a security perspective, but a question has popped up which is worth addressing separately: what happens if you're using a system that relies on your mobile phone and you lose the phone itself?

Picture by Michael Coghlan

A quick primer: two-factor authentication relies on you using both something you know (a password) and something you have (in this example, a one-time access code sent to your phone). If you misplace your phone, that doesn't put any accounts using two-factor authentication at risk directly. After all, even if someone has your phone, they don't have your main password. However, it does place you in a bind: you can't access anything because you don't have your phone.

This is a nuisance, but it is not an intractable problem. At a very basic level, if you've misplaced your phone permanently, chances are you'll try and get the same number reassigned by your carrier. Once that happens, you'll have access to codes sent to that phone.

You don't have to wait, however. Typically, services will offer a number of recovery options for people who either don't have their phone or who can't receive messages (which might happen if you're overseas). These can include:

  • If you're already signed into a service on another device, you may be able to disable two-factor authentication. (This will work if a service only verifies your identity every 30 days a la Google or when you attach a new device a la Dropbox, but not for services that require a code every time you sign in.)
  • Many services provide you with a backup code which can be entered if two-factor authentication isn't an option. This will only be supplied once at signup, so make sure you take note of it and keep it somewhere secure.
  • Some services (such as Google) allow you to specify a backup phone where codes can be sent. This could be a partner or family member.
  • If those options fail, there will usually be some form of recovery service available. This can take time to process, however, so it's worth the effort of setting up one of the other approaches ahead of time.

To find the specifics for an individual service, check its help section. Whatever approach you use, make sure you re-enable two-factor authentication once you do have a replacement phone.


Comments

    It's a good thought. I use some two-factor services with my phone and it hadn't crossed my mind what would happen if I lost my phone.

    And you've got me thinking now - I'm off to double-check that the backup/secondary/recovery details each of those providers has stored for me.

      It's a pain but it's not nearly as annoying as you would think. I didn't know any of my recovery details and it got in my way for about five days (lost it on a Friday night and was fairly busy with work at the time which slowed it down). Once you've been through it all the once you'll learn what each service provides as a plan B, know to ask about it when signing up for something new and know to store those details in a secure place.

        Yep, it's not too bad. Had my smartphone stolen while overseas in Vietnam. I wasn't coming back to Aus for another 6 months too, but getting all my 2 factor turned off and then re-enabled onto a new phone was not too much hassle. 3 GApps accounts, LastPass and AWS done in under an hour.

        And I tell you what, I am _really_ glad that I had 2 factor turned on. Going through and changing all my passwords on every other account without 2 factor was much more annoying. Losing a smartphone is worse than losing a wallet these days! (which was stolen at the same time also, so I know...)

    It's something I always think about when signing up for those systems! Despite never having lost a phone.

    Recently, though, my old prepaid number expired due to credit starvation, and that was where I had my banking codes sent. I could still log in to my accounts, but not transfer money to most people. I called each bank and they verified my identity through the usual question-and-answer routine (the social engineering implications are always worth remembering) and allowed me to change my registered mobile number.

    I'm in two minds about enabling it for something like Gmail, as although it's very important, I have the feeling that when I need to access it from an unusual computer it'll be a situation where something drastic has happened and I may not have my phone.

      Google has an option to generate 10 "one-time use" passwords. You can print these out and stick them in your wallet for times when you don't have a phone or you are using a foreign computer and worried about keyloggers and/or the person standing behind you.

        Ok, but the same reservation applies. Just amend "a situation where something drastic has happened and I may not have my phone" to include "phone, wallet, keys, passport, whatever". The flexibility that comes from carrying everything you need in your head seems to be at odds with two-factor authentication.

        As in my first comment, banks accomodate this by providing customer service over the phone. I have full confidence that if I have a problem with my bank, I can call them and resolve the matter quickly. I don't have the same confidence in Google, which is unfortunate.

          Hey! You said you didn't have a phone! ;)

          I think your only alternative there is to not have 2-factor authentication.

          Alternatively, I suppose you could memorise a one time password on the rare occasion it's needed? It is only 8 numbers ... ;)

            Not a bad option, I suppose. I still like the customer service angle. Actually, does Google offer better service in this manner if you pay for one of their accounts?

            The good thing about phones is that you can use any of them, but I'm assuming you knew that and were being snarky :P

      But your Google account isn't just Gmail, it's your Calendar, Google Wallet, Maps, Google Drive.
      With that information, a hacker could potentially know your passwords for other sites (for those that send the username and password as a confirmation email), your home address and your calendar of events to identify when you're not going to be at home, and your friends/family addresses and when they're not going to be home, as well as access to your Credit Card through Google Wallet.

        Yeah, Google has many services. Is your point that it's important to secure that account? I said that so I'm not sure what you're trying to add. Care to clarify?

        From the article: "Some services (such as Google) allow you to specify a backup phone where codes can be sent. This could be a partner or family member."

        If you have no way at all to contact anybody, then I'd have to wonder how you're getting a password prompt from google.

    For convenience, as well as the backup phone (which fails if you're not near the person with that phone or can't get in touch because... you lost your phone), you can store the recovery codes for Gmail and the like either on Dropbox or as a LastPass secure note (or similar on other services). You can still access them from pre-approved computers without the 2 factor kicking in.

    For traveling, there's not really a good foolproof option yet except a temporary less secure storage for the overrride codes.

      These can be disabled and/or regenerated at any time.

        That was meant to be replying to my own post above ..

    Question: I travel a LOT. So much that I have different phones in different countries (prepaid, of course). Can I use two factor authentication?

      I don't see why not? As long as you two step verify all phones. Also there's an app called 'Google Authenticator' or something, that generates codes for you even without an internet connection or when your phone cannot be connected (eg. when travelling overseas).

        +1 for Google Authenticator - great for when you don't have mobile reception.

    Yes, 2 step authentification is good, but beware, it has already been hacked by thieves. Google 'mobile porting scam' and read up. Basically, esp in oz, it is really easy to have your mobile number ported to another carriers sim. And once the thief has done this (through social engineering), they only need a few extra details about you to hack into your online accounts that use 2 step SMS authentification. The issue here needs to be resolved by the telcos. They need to implement stricter ways to verify that you are the account holder of the mobile number before allowing you or a thief to port your mobile number. Maybe if we all contact our Telcos and express our disgust and distress at the woeful security implementation of account owner verification procedures, they will sit up and listen and take our concerns very seriously. Call them now, and the relevant authorities and make you voice heard. YubiKey is another 2 step authentification that requires a physical device and is used by LastPass and others. Maybe it might be safer to by a USB Yubikey and verify Lastpass this way. It wil even work on Android devices with a small adaptor. I am going to spend $25 and buy one to see how well it works.

    I'm surprised the article didn't mention to remotely wipe or lock your phone as soon as possible. I'd be more concerned with doing this than accessing my services to turn off 2-factor auth.

    The reason is that the device your authenticating app or SMS codes are sent to, is likely to be the one that is trusted/authorized to access the account and has the username/password saved in several places (think firefox + the app in facebook's case).

    Many theives are still more concerned about racking up large phone and data bills, than identity theft, but the risk is still great, especially if it's a taxi driver or hairdresser that knows a bit about you already like who you work for, or what suburb you live in, etc.

      I think you will find your password isn't saved anywhere. If the app supports 2-factor authentication you are redirected to a Google page and the app receives a cookie or hash valid for whatever time.

      If it doesn't you need to create an app-specific password, which only works for *that* app. You can't login with it and can easily disable it.
      .

    have you all forgotten what we used to do when we didn't have mobile phones and we wanted to make a call when out and about? we would ask a shop keeper if we could use their phone, use a public phone, etc.

    I wonder if it would be possible, in future (Or maybe such a thing exists now?), to have a second sim-card for one number? Just keep it locked up at home, or somewhere safe. Lose your phone? No big deal. Head out and buy a replacement, be it a permanent decent phone, or a cheap disposable, and put your backup sim in that.

    Uhm! From my understanding, the message is sent to a mobile number, not the phone per se. So if you cancel the SIM and get a replacement with the same number, wouldn't that sort things out?

Join the discussion!

Trending Stories Right Now